[Opendnssec-develop] DelegationSignerSubmitCommand

Rickard Bellgrim rickard.bellgrim at iis.se
Thu Dec 9 10:15:09 UTC 2010

On 8 dec 2010, at 11.14, Sion Lloyd wrote:

>> The rollover procedures are still quite a mess. Could you perhaps propose
>> how we should do this in a clean way, so that the
>> DelegationSignerSubmitCommand also function as intended?
> The only way I can think to make this clean is to force a pure rollover scheme 
> on the user... This would mean disabling the no-retire flag and having the 
> dssub command only send the new key.
> Is this too draconian and restrictive though? Keep in mind that this might be 
> the only KSK rollover scheme available for the next two releases...

What do you Jakob say about this?

> Is it too late in the release to introduce a new flag or rollover option 
> "strict" which forces this behaviour? (I think so, but will work on this if we 
> think it is really needed.)

Yeah, new feature is too late. And another flag will confuse it even more.

> We could document the current situation and fix this either after the release 
> in 1.2 or for 1.3 (which I believe will not have the new enforcer code)?

Ok, yes. The option is to fix this in 1.2 or 1.3. Do we have any comments on this?

// Rickard

More information about the Opendnssec-develop mailing list